OncoCyte Notice of Privacy Practices



OncoCyte is committed to maintaining the privacy of your protected health information (PHI) that is provided to us. This document specifies our privacy practices, including how we use and/or disclose your PHI in compliance with the Standards for Privacy of Individually Identifiable Health Information (IIHI), issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As a covered entity, we are required to protect and maintain the privacy of all of your health information, to provide you with notice of our legal duties and privacy practices regarding PHI, and to abide by the terms of this Notice. This Notice describes your privacy rights and our efforts to maintain your trust by following the standards for patient privacy and confidentiality.

Your Personal Health Information

In order to provide you with laboratory services, we receive your health information from your healthcare provider or another laboratory that asked us to test your sample. The HIPAA Privacy Rule requires us to protect any of this health information that will identify you, such as your name, date of birth, medical record number, social security number, telephone number, and address. We protect this information regardless of the form in which we receive and manage the information (e.g., oral, written, or electronic).

Allowable Uses or Disclosures of Your Personal Health Information

The HIPAA Privacy Standards allow healthcare entities to receive and disclose your information without obtaining your authorization, for treatment, payment, and healthcare operations purposes.  Each of these purposes are explained below.

Treatment: When we receive a requisition for laboratory services requested by your healthcare provider or a referring laboratory, it contains your name, date of birth, and other identifiable information. The disclosure of this information to us is considered treatment, as is our disclosure of the laboratory results to the referring laboratory or your healthcare provider.

Payment: We may legitimately use and disclose your health information for payment purposes, for example, sending your information to a billing service to file claims for us with health plans or other payers.

Healthcare Operations: We may disclose your information as part of our internal operations to maintain the high quality of our laboratory services. We may use or disclose protected health information, for instance, to assure quality, accreditation and certification, licensing, or credentialing activities.

Business Associates: We may disclose your Protected Health Information to other companies or individuals, known as “Business Associates,” who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.

Personal Representatives: We may disclose Protected Health Information about you to an authorized personal representative, such as a lawyer, administrator, executor, or other authorized person responsible for you or your estate.

Legitimate Use and Disclosure and When Required by Law

The HIPAA Privacy Standards specify certain other circumstances where we may legally use or disclose protected health information without your authorization; these situations generally are for public health and safety, legal, and judicial purposes.

Public health: As required by law, we may disclose your health information to public health or legal authorities and other entities charged with preventing or controlling disease, injury, or disability.  We may also disclose health information for health oversight activities.

Communication with family: Occasionally, our staff may discuss particular diseases and their inheritance patterns with you or your family members, if you agree. However, we will not release your results or other PHI to you or your family members.

Research: We may disclose information to researchers when an institution’s review board (a committee that reviews the ethics of research projects) has reviewed the proposed study and established protocols to ensure the privacy of the health information used in their research and determined that the researcher does not need to obtain your authorization prior to using your PHI for research purposes.  We may also disclose information about descendants to researchers under certain circumstances.

Organ procurement organizations: We may disclose health information consistent with applicable law to organ procurement organizations or other entities for the purposes of tissue donation and transplant.

Food and Drug Administration (FDA): We may disclose to the FDA health information relative to adverse events with respect to product defects or post-marketing surveillance information to enable product recalls, repairs, or replacement.

Workers compensation: We may disclose health information to the extent authorized by, and necessary to comply with, laws relating to worker’s compensation or other similar programs established by law.

Correctional institution: If you are an inmate of a correctional institution, we may disclose to the institution or agents thereof health information necessary for the health and safety of other individuals.

Law enforcement: We may disclose health information for law enforcement purposes as required by law or in response to a valid subpoena. We may also disclose health information to appropriate agencies if we believe there is the possibility of abuse, neglect, or domestic violence.

Judicial proceedings: We may disclose health information to courts or administrative agencies in response to a court order, or a discovery request.  In the case of the latter, we will not disclose the information unless we are satisfied that you have been given notice of the request and have not objected, or the party seeking the information obtains an order protecting the information from further disclosure.

In All Other Situations We Use and Disclose Your Personal Information only with Your Authorization

Except as otherwise permitted or required, we do not use or disclose your personal health information without your written authorization and then we use or disclose it only in a manner consistent with the terms of that authorization. You may revoke the authorization to use or disclose any PHI at any time, by writing to the contact person listed in this Notice, unless we have already acted under that authorization.

Your Rights With Respect to Your Personal Health Information

Under the HIPAA Privacy Standards, you have certain rights with respect to your PHI. As a clinical laboratory, OncoCyte does not, as a matter of practice, deal directly with patients. Our contact for health information usually is your healthcare provider or another clinical laboratory. There may be unique circumstances in which OncoCyte responds directly to patients, but these circumstances are limited.

To the extent possible and appropriate, you should contact your healthcare provider to exercise the rights listed in this Notice.  We will try to accommodate requests from our healthcare provider clients, if legally permissible, and clinically appropriate to respond to your exercise of these rights, which include:

Right To Request Restrictions On Use Or Disclosure: You can request restrictions on certain uses and disclosures of your personal health information. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for Payment restrictions where payment has been made “out-of-pocket” and “paid-in-full.”

Right To Inspect and Copy Personal Health Information: You have the right to request a copy of your personal information as we have received it, which may have an associated charge including what this charge is and the time it takes to provide a copy.  However, we are not permitted to disclose your test results directly to you, under California law.  You may ask your healthcare provider for a copy of your test results, if you wish.

Right To Amend Personal Health Information: You can request that we amend your personal health information or your clinical record. The HIPAA Privacy Standards provide that we can deny the request for amendment under certain specified circumstances.  If we do deny your request to amend, we will explain why to you, and explain your rights to seek review of that decision, if required under the HIPAA Privacy Standards.  You may ask your healthcare provider to request that OncoCyte amend your test results, if you wish.

Right To Receive An Accounting Of Disclosures of Personal Health Information: You can get a written accounting of all of our disclosures of your personal health information not directly related to treatment, payment, healthcare operations, or disclosed based on a signed authorization or for other legitimate purposes as stated above. The request must be in writing and state a time period, which may not be longer than the prior six years.

Right To Receive Personal Health Information via Confidential Communications: You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address, email, or phone number.

Right To Receive this Notice of Privacy Practices: You can request and receive a free copy of this Notice of Privacy Practices in printed or electronic form by writing or calling the contact person listed in this Notice.

Right to Complain: We are committed to complying with the privacy practices described in this Notice of Privacy Practices. If you believe that we have violated any of them, you may file a complaint with us and/or with the Department of Health and Human Services, Office of Civil Rights.  To file a complaint with us, please send a letter to the contact person listed in this Notice.  OncoCyte will not retaliate in any way if you file a complaint with the Office of Civil Rights or with us.

Amendments to this Notice

We can revise or amend this Notice of Privacy Practices at any time and make the revisions effective for all personal information we receive and maintain, including any we created or received before the effective date of the revision or amendment. We will post the most recent version of this Notice on our website, at www.OncoCyte.com.

Access to Our Notice of Privacy Practices

You may request a copy of our current Notice of Privacy Practices, by writing to the contact person on this Notice. The current Notice of Privacy Practices is also available at our web site: www.OncoCyte.com.

Contacting Us Regarding our Privacy Practices

If you have any questions about our privacy practices or your personal health information, please contact us. Send questions, requests, or complaints to:

OncoCyte, Corporation

Attn: Privacy Officer

1010 Atlantic Avenue, Suite 102

Alameda, CA 94501
Phone: (510) 775-0515

EFFECTIVE DATE: March 29, 2019